@standardagents/builder 0.17.1 → 0.17.3

package/dist/index.js

@@ -917,7 +917,7 @@ function resolvePlatformRouting(providerName, env) {
 var DEFAULT_PLATFORM_PROXY_ORIGIN, PROVIDER_BASE_PATHS;
 var init_platform_routing = __esm({
   "src/agents/providers/platform-routing.ts"() {
-    DEFAULT_PLATFORM_PROXY_ORIGIN = "https://proxy.standardagents.ai";
+    DEFAULT_PLATFORM_PROXY_ORIGIN = "https://api.standardagents.ai";
     PROVIDER_BASE_PATHS = {
       cloudflare: "/ai/v1"
     };
@@ -19696,8 +19696,9 @@ import { isThreadEndpoint } from "@standardagents/spec";
 const PUBLIC_ROUTES = [
   '/api/auth/bootstrap',
   '/api/auth/login',
-  '/api/auth/bootstrap',
   '/api/auth/config',
+  '/api/auth/sa/start',     // Login with Standard Agents (OAuth) \u2014 unauthenticated entry
+  '/api/auth/sa/callback',  // OAuth callback (sets the session cookie)
   '/api/config',
   '/api/auth/oauth/github',
   '/api/auth/oauth/google',
@@ -19710,15 +19711,31 @@ const PUBLIC_ROUTES = [
   '/api/hooks'  // Hook metadata is safe to expose publicly
 ];
 
+// True when the platform deployed this instance (injects STANDARD_AGENTS_HOSTED).
+// Hosted instances are internet-reachable and multi-tenant, so the thread data
+// API and event/stream WebSockets must NOT be anonymously public the way they
+// are in single-user local dev \u2014 they require a session (admin) or API key (SDK).
+function isHostedInstance(env) {
+  const value = env && env.STANDARD_AGENTS_HOSTED;
+  if (typeof value === 'string') {
+    const trimmed = value.trim().toLowerCase();
+    return trimmed !== '' && trimmed !== '0' && trimmed !== 'false';
+  }
+  return Boolean(value);
+}
+
 // Check if a route is public (no auth required)
-function isPublicRoute(routePath) {
+function isPublicRoute(routePath, hosted) {
   // Exact match for auth routes
   if (PUBLIC_ROUTES.includes(routePath)) {
     return true;
   }
 
-  // Thread routes are always public
-  if (routePath.startsWith('/api/threads/') || routePath === '/api/threads') {
+  // Thread routes (REST + message/log stream WebSockets) are public in local
+  // single-user dev, but on a hosted deployment they require auth \u2014 requireAuth
+  // accepts the admin's session (cookie or token) or the SDK's API key, so this
+  // only blocks anonymous access to another tenant's threads/messages/files.
+  if (!hosted && (routePath.startsWith('/api/threads/') || routePath === '/api/threads')) {
     return true;
   }
 
@@ -19820,7 +19837,7 @@ ${packedThreadRouteCode}
 
   if (routeMatch) {
     // Check if authentication is required for this route
-    const publicRoute = isPublicRoute(routePath);
+    const publicRoute = isPublicRoute(routePath, isHostedInstance(env));
     const isApiRoute = routePath.startsWith('/api/');
 
     let authContext = null;
@@ -20573,6 +20590,19 @@ async function hashToken(token) {
   const hashArray = new Uint8Array(hashBuffer);
   return Array.from(hashArray, (byte) => byte.toString(16).padStart(2, "0")).join("");
 }
+var SESSION_COOKIE_NAME = "agtuser_session";
+function readSessionCookie(request) {
+  const header = request.headers.get("Cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    if (part.slice(0, eq).trim() === SESSION_COOKIE_NAME) {
+      return decodeURIComponent(part.slice(eq + 1).trim()) || null;
+    }
+  }
+  return null;
+}
 function isValidUserToken(token) {
   return token.startsWith("agtuser_") && token.length > 10;
 }
@@ -20646,6 +20676,10 @@ function extractBearerToken(request) {
   if (authHeader && authHeader.startsWith("Bearer ")) {
     return authHeader.substring(7);
   }
+  const cookieToken = readSessionCookie(request);
+  if (cookieToken) {
+    return cookieToken;
+  }
   const isWebSocket = request.headers.get("upgrade")?.toLowerCase() === "websocket";
   if (isWebSocket) {
     try {